The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

how to stop accessing javascript function from the location?

hi

i'm having a site and in that site a page contains AJAX code.
A javascript function has a HTTP request to another page with some arguments in the url, the server page gets the values from the url and insert them to the database.

Someone had looked at my code and then hacked that to enter wrong values into the database.

he directly called the javascript function from the location bar itself.

You can't, but it sounds as if you are abusing the HTTP protocol. Requests via GET must be idempotent, i.e., they may not have side effects (like changing a database).

If you want to update a database through Ajax calls, make sure to use POST requests. Those cannot be replicated via the browser's location bar, although they can be faked by malicious external scripts. You'll still need other safety mechanisms in place.

yes, I also agree that this is a http://en.wikipedia.org/wiki/Cross_site_scripting attack. One of the weaknesses of PHP is too easy and people start writing scripts with a help of a single article and security related issues are about to arrise.

You can't, but it sounds as if you are abusing the HTTP protocol. Requests via GET must be idempotent, i.e., they may not have side effects (like changing a database).

If you want to update a database through Ajax calls, make sure to use POST requests. Those cannot be replicated via the browser's location bar, although they can be faked by malicious external scripts. You'll still need other safety mechanisms in place.

Code like this is not a great idea, because anyone could enter that type of URI in their address bar.

You should use a POST request (over a secure connection, if the data is sensitive) instead. Naturally, you must make sure that there is no equally simple way to access this, like the all-in-one JavaScript function you posted.

The function that sends the XMLHttpRequest should retrieve the information from the form fields in the page.

However, since the JavaScript code and the markup are visible to the public, you need additional security measures. The POST request can still be emulated (but not from the address bar), so you have to ascertain the validity using other means, like one-time server-generated tokens.